Last post Aug 13, 2020 10:26 PM by bruce (sqlwork.com)
Aug 11, 2020 09:21 PM|dvnandover|LINK
I was asked to create an MVC application where i will have different authorizations for different AD groups and different users. For example some of the controllers that can only accessed by some AD groups (ADMIN and SuperUser). Some other controller can
be access by anyone with windows credential. So in my web.confi I have <deny users="?"/> in
my web.config which allow non anonymous users to access most of my controllers. For controllers i wanted to restricted access to Admin and Superuser groups i decorated each of the Controller like this:
"ADMIN, SuperUsers"]. Everything seem to work correctly but now I would like to add a few users who are not part of the ADMIN or SuperUser to
have access to the same controllers that ADMIN and SuperUsers have accessed to so decorated the controller like this [Authorize(Roles =
"ADMIN, SuperUsers", Users = 'user1, user2"]. Here is where it is not working and the user1 or user2 got 401 error when trying to access those restricted controllers. So my questions is what did i do
Thank you in advance.
Aug 11, 2020 09:32 PM|bruce (sqlwork.com)|LINK
probably the user name includes the domain.
Aug 12, 2020 12:05 PM|dvnandover|LINK
That is not the case. Using myself as an sample whether myself in there or not I don't have access neither
"ADMIN, SuperUsers", Users = "me")].
Aug 12, 2020 01:13 PM|dvnandover|LINK
Aug 12, 2020 02:41 PM|dvnandover|LINK
Aug 12, 2020 04:07 PM|dvnandover|LINK
Aug 12, 2020 04:49 PM|bruce (sqlwork.com)|LINK
I don't know which authentication role provider you are using, but its probably not loading the ad roles. one issue with ad roles, there may be too many to store in a cookie (i have hundreds of ad roles), so you may need to add the roles to the principal
after the cookie is read. use the after authenticate event to read the AD and add roles.
note: I create a whitelist of roles to load by my custom ad role provider (only the ones used by my apps), so they fit in the cookie.
Aug 12, 2020 05:08 PM|dvnandover|LINK
Aug 12, 2020 06:07 PM|bruce (sqlwork.com)|LINK
you need a identity role provider to load the roles. the default user manager comes with one. if you are just using windows authentication, you will need to find or create one that supports the AD as one is not
google for creating a MVC custom role provider. then google for accessing the AD.
Aug 12, 2020 09:05 PM|dvnandover|LINK
Aug 13, 2020 05:07 PM|dvnandover|LINK
Aug 13, 2020 10:26 PM|bruce (sqlwork.com)|LINK
MVC does not have builtin support for AD roles, just principal. You need a custom role provider that will query for the roles and add to the principal. here is a simple implementation:
out of the box, MVC and windows authentication only supports [Authorize]. If some roles are supported, then you may have a custom authorize attribute.